Skip to content

Commit 059fbf1

Browse files
josemduartejosemduarte
authored
Merge pull request #1029 from marty-rabens/prevent-XXE-processing
Prevent XXE (Xml eXternal Entity) injection when parsing XML data
2 parents e561566 + 4c90b6f commit 059fbf1

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

biojava-core/src/main/java/org/biojava/nbio/core/util/XMLHelper.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
import javax.xml.transform.TransformerFactory;
3535
import javax.xml.transform.dom.DOMSource;
3636
import javax.xml.transform.stream.StreamResult;
37+
import javax.xml.XMLConstants;
3738
import javax.xml.xpath.XPath;
3839
import javax.xml.xpath.XPathConstants;
3940
import javax.xml.xpath.XPathExpressionException;
@@ -105,6 +106,7 @@ public static Document inputStreamToDocument(InputStream inputStream) throws SAX
105106
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
106107

107108
DocumentBuilder db = dbf.newDocumentBuilder();
109+
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
108110

109111
Document doc = db.parse(inputStream);
110112
doc.getDocumentElement().normalize();

0 commit comments

Comments
 (0)